Join 34,000+ subscribers and receive articles from our blog about software quality, testing, QA and security.

LDAP Authentication to multiple OUs



I want to apologize in advance if I missed this in the forum search.

I’m having trouble with the LDAP auth.php script. In my environment I have multiple top level OUs and when I define AUTH_DN with only the DC I get the following error for any username I supply (legitimate or fake).

“External auth: Search: Operations error (failed to retrieve user object)”

Here’s the script that produces that error:

define(‘AUTH_HOST’, ‘’);
define(‘AUTH_PORT’, 389);
define(‘AUTH_BIND_DN’, ‘CN=ELDAP,OU=Service Accounts,OU=Accounts,OU=City,OU=Locations,DC=foo,DC=com’);
define(‘AUTH_BIND_PASSWORD’, ‘12345’);
define(‘AUTH_FILTER’, ‘sAMAccountName=%name%’);
define(‘AUTH_FALLBACK’, false);
define(‘AUTH_CREATE_ACCOUNT’, true);
define(‘AUTH_NAME_ATTRIBUTE’, ‘displayname’);
define(‘AUTH_MAIL_ATTRIBUTE’, ‘mail’);

if I supply AUTH_DN with a OU, for example,


it finds users in the Sites OU but doesn’t find users in other OUs (as expected). Is there a way to specify multiple top level OUs in AUTH_DN, or perhaps something else I’m missing that would make the search work only supplying the DC?


Hi Niko

Thanks for your posting. Is this a generic LDAP server or is this an Active Directory server? If it’s an Active Directory server I recommend using the Active Directory script instead:

The Active Directory script should be able to authenticate against the top level DC. If you are using another LDAP service you could try adding the following line to the _ldap_open_connection method (directly after the other ldap_set_option call):

ldap_set_option($handle, LDAP_OPT_REFERRALS, 0);

This option enables our Active Directory script to authenticate against the top level DC and we don’t have this option in our generic LDAP script yet.

I hope this helps.



I have the same question. I am using the Active Directory script and was able to authenticate against the top level OU, however there are only two groups I want having access to this, so opening this to everyone is undesirable. Is there a way to specify an “OR” in the AUTH_DN?


Hi Chris,

Thanks for your posting. You should still be able to to limit the authentication to just two groups using the AUTH_MEMBERSHIP configuration option. You would specify a top level OU for the AUTH_DN option, and further limit the access via the group membership. The membership option uses regular expressions, so you should be able to use the following approach to allow one of two groups (OR):

AUTH_MEMBERSHIP = ‘/^(CN=My Group,)|(CN=Another Group,)/’

Could you try this please?